Researchers have shown an exploit for the Spectre Flaw, targeting the Indirect Branch Predictor Barrier (IBPB) vulnerability. This issue affects modern AMD and Intel CPUs and may result in data leaks.
All about Spectre Flaw
Researchers at ETH Zürich, Johannes Wikner and Kaveh Razavi, found that the Spectre vulnerability, first reported over six years ago, still affects newer Intel and AMD processors.
The vulnerabilities identified are CVE-2017-5715 for Intel and CVE-2022-23824 for AMD, related to the Indirect Branch Predictor Barrier (IBPB) in speculative execution protection.
This defense was meant to prevent Spectre v2 attacks, but the new findings reveal that attackers can bypass it, potentially leaking sensitive information like hashed passwords from high-privilege processes.
Even with strong protections put in place by x86 CPU manufacturers after the Spectre vulnerability was discovered, a bug in Intel’s newer architectures—Golden Cove and Raptor Cove—means that some branch predictions stay active when they should be turned off by IBPB. This flaw makes it possible for attackers to launch effective cross-process Spectre attacks, allowing them to take advantage of the very defenses that are meant to protect sensitive information.
Spectre takes advantage of a feature in modern processors that allows them to guess which instructions to execute next based on predicted paths. Instead of executing instructions in order, the processor tries to anticipate the next action and pre-loads the necessary data.
If the prediction is correct, the task runs faster. If it’s wrong, the speculative instructions are discarded, and the processor continues with the correct values.
This feature was designed to boost performance, but researchers have shown that attackers can exploit it to access restricted memory and sensitive data. However, successfully exploiting Spectre requires specific conditions that are hard to meet.
First, the attacker must run code on the same machine as the target application. Second, they need to know the target memory addresses. The researchers conducted their experiments on Linux because they did not have access to the source code of other major operating systems.
Intel: Attackers can run malware alongside a target application on Intel processors, triggering speculative execution that accesses sensitive memory. A microcode bug allows branch predictions to leak sensitive information, like the root password hash from SUID processes.
AMD: For AMD processors, attackers execute code in an unprivileged process with a privileged one. The IBPB can be bypassed, enabling access to sensitive kernel memory.
Notably, attacks on AMD processors increase with higher temperatures due to the RowHammer effect, raising the likelihood of branch prediction errors and CPU vulnerabilities. Higher temperatures also lead to more “bit errors” in DRAM cells.
Incomplete Fixes
Vulnerabilities affecting Intel’s 12th to 14th generation Core processors and 5th to 6th generation Xeon processors, as well as AMD’s Zen 1(+) and Zen 2 processors, are still present. Intel released a patch in March 2024, but not all hardware has received it, while AMD addressed the issue in November 2022. Users must ensure their updates are applied, as patch availability varies, especially on Linux systems. Additional action from OS vendors and hypervisor developers is needed for full protection.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment